I assign a number of Roles to a userid based upon the AD group it is a member of. Got this working for a number of Roles but one refuses to be assigned, even though I know the userid is a member of the group.
1). Authentication of userid performed by a service that has an authentication source with a base DN of
ou=users,ou=uoy,dc=its,dc=york,dc=ac,dc=uk
Search scope of one
2). Service authorisation also performed and another authorization source with a slightly different base DN has been added to the above one.
ou=inst,ou=groups,ou=uoy,dc=its,dc=york,dc=ac,dc=uk
Search scope of one
In the AD tree, amongst other things at the ou=inst,ou=groups,ou=uoy,dc=its,dc=york,dc=ac,dc=uk level I’ve got
cn=testclearpass - a test AD group with my userid in it
and
cn=g0790stf - an AD group with all the network team userids in it
I have 2 roles defined
UoY Network Team and UoY DPS Staff
UoY Network Team is assigned via the statement
(Authorization:UoY AD Authentication:memberOf CONTAINS cn=g0790stf,ou=Inst,ou=Groups,ou=UoY,DC=its,DC=york,DC=ac,DC=uk)
OR (Authentication:Username EQUALS_IGNORE_CASE jh1802)
OR (Authentication:Full-Username CONTAINS Alex.Sharaz)
OR (Authentication:Full-Username CONTAINS ms1691)
OR (Authentication:Full-Username CONTAINS rf1
UoY DPS Staff is assigned via the statement
(Authentication:Username EQUALS_IGNORE_CASE rjs502)
OR (Authorization:UoY AD Authentication:memberOf CONTAINS cn=testclearpass,ou=Inst,ou=Groups,ou=UoY,dc=its,dc=york,dc=ac,dc=uk)
Other statements include
(Authorization:UoY AD Authentication:memberOf EQUALS CN=g0087stf,OU=Inst,OU=Groups,OU=UoY,DC=its,DC=york,DC=ac,DC=uk)
To map role “IT Services Staff”
(Authorization:UoY AD Authentication:memberOf CONTAINS cn=g0000stf,ou=Inst,ou=Groups,ou=UoY,DC=its,DC=york,DC=ac,DC=uk)
To map role “Staff”
Authorization:UoY AD Authentication:AccountStatus NOT_EQUALS 66050)
AND (Authorization:UoY AD Authentication:AccountStatus EXISTS )
To check if the AD Account is. enabled
Running a “Role Mapping” policy simulation using a role generation policy that has the above statements in it gives me a result that is as shown below
“IT Services Staff, Staff, UnQuarantined, UoY AD Account Enabled, UoY Network Team, UoY User, [User Authenticated]”
So all of the role assignments work except for the “UoY DPS Staff” one
I watched a colleague put create the group, set the same access rights as other groups and add my userid to it
How can I debug what’s going on ?
I know I’m mixing and matching upper/lower case and use of contains or equals but the other statements work
Rgds
Alex